kutaki | 77dfba9b6f16d20471d46be4faf4b0c7ce5be4b95e767d809ae5b71bfe6b57c7

Analysis

max time kernel
446s
max time network
452s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2023 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment_Receipt.zip
Size

2.1MB
MD5

bf63fc45c319a29cfad91418a47e0936
SHA1

3a659779ecd57473b596b4a047a62fda9f2f672c
SHA256

77dfba9b6f16d20471d46be4faf4b0c7ce5be4b95e767d809ae5b71bfe6b57c7
SHA512

72fa66028808f4b6384491b5cdb2b46e574394ba57d5a38e2a77c03c8c26371a54af8f4f83944bfde191dd3d1b1cac0ee613f9c0bbbbc3b48b53598e8e93ef6f
SSDEEP

49152:Ipq/wcmd6Kwv92DbDAvDc7+uHH62MtHe0RgedBNmP/Q68rJ:Cq4DdDW9wPoe626+05dBNmP/Q681

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133383171003875478"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "11"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 68003100000000002457898010005041594d454e7e310000500009000400efbe24578880245789802e000000efe7010000000200000000000000000000000000000000262c015000610079006d0065006e0074005f005200650063006500690070007400000018000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "9"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000ec9eade35adcd901fcb5ba6c49dfd901fcb5ba6c49dfd90114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2228 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1776 chrome.exe
1776 chrome.exe
1692 chrome.exe
1692 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

1300 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

1776 chrome.exe
1776 chrome.exe
1776 chrome.exe
1776 chrome.exe
1776 chrome.exe

pid	process
2228	NOTEPAD.EXE

pid	process
1300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	1268	7zG.exe
Token: 35	1268	7zG.exe
Token: SeSecurityPrivilege	1268	7zG.exe
Token: SeSecurityPrivilege	1268	7zG.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

7zG.exechrome.exe

pid	process
1268	7zG.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

chrome.exe

pid process

1300 chrome.exe
1300 chrome.exe
1300 chrome.exe

pid	process
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1776 wrote to memory of 232	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 232	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4220	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4480	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4480	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe
PID 1776 wrote to memory of 4224	1776	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Payment_Receipt.zip
1⤵
PID:3428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5052

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Payment_Receipt\" -spe -an -ai#7zMap18379:88:7zEvent18240
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Payment_Receipt\Payment_Receipt.cmd"
1⤵
PID:880

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Payment_Receipt\Payment_Receipt.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7fff8e569758,0x7fff8e569768,0x7fff8e569778
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:2
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:1
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:1
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4636 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:1
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5228 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5512 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:1
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5768 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3960 --field-trial-handle=1808,i,540032720996264244,14520176532327323124,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014
Filesize
180KB

MD5
497835d373e12af4cd257487dd5d3612

SHA1
425950e9427926ac0aa7940c4a18a44ab59df47a

SHA256
e11ff08dff0a884b311133e2469146b2a54319cf60094511e098df0c3677c4e0

SHA512
aa05611f56185e02289345f9c286ca98f96d5e1d24c8d152605e866e60013dc2945fc60f826e81459003ca9c2b7d439c0f6fdd173cbee57cd751ee51b18d2bf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
1KB

MD5
694669da3bf310286d63d8a8a2a0cb3a

SHA1
b93e3b6bceef0f9db05f18470ba5ed9b425f1622

SHA256
6a006925faeb1aca87bcde5125a0adfaf13553f4bc24ea021e343b6b2c39def0

SHA512
0982ca4dc5f6f3307c7485c77855fa2a051839edad69a22328c6c8341433aee8ef99331a7cbdfcf9fce355cd54640bd99fbc7300ad2c107bf2b9804ef50e97df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
0280a3fad26465e4ebb8492d80302690

SHA1
d8c60ae58f94089fb70cd827aa0a15819b49961d

SHA256
f0c85906017e5129442ce0e4a158b082c8bdf1724c68201522f6395aa8407905

SHA512
2e5e7e2703e4433e0691a0decf908b0c16c44368d6e8e16b37581efc92e56fc857e11255aad82ef0aa6ad1309d6979643059349de511e4ab45f88123c72d5abf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
391c20e03a174ed47bc43902e62de24b

SHA1
23b285d3c087e0d47d05a90c6f873e62fc14af31

SHA256
e35e96dc5f39308335343a4ddc6a2b2d4c9fb75dafdf212b0b8e3e18a06ee408

SHA512
6b4ada5db940a2f50137a02abbfedad7074ab12f8ebe338946a08ee8534bc2e88e6675e330f258bb3b7a3ccd0753de5bc8d6224e87e2320604cf4e54cd4d5f3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
3d29afa7e2602d8ca8d926d8fdcc0dc0

SHA1
dae5dba6d444f5e5fa8fa7dc6bcd1a9c2ee87d85

SHA256
0b8f4a50ab0dbdcde938259082a80a469f4022983ff813d2d9e1444701824ff1

SHA512
878415380785b76f85404c810166adb925c2e4dae94aef1cb68b18df2d5ff2080c8f36aafbfb6f63755f8227f3be854821a31b1f772b3e8028c4d7e21bd2e9c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
536B

MD5
c13176ade493cce88bc43c58e5360f22

SHA1
368c9b40100f45ddda634661894581cfb8d86a85

SHA256
6b397ed0ca2022f7c0fee7cf3a31694e6ae8c8aa0903f425783d016250e6f243

SHA512
59ef83c840b1b59063f89206662e806b5d2e08e2b86b2cea148bb19d4dd79854771a21991f158b226cc736f6ebb241a86f93aa148f11b47a686e24dda9ad32ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
871B

MD5
8bdeb22712dad9265e3fea8b6bb834e6

SHA1
7dc34be33a1d1a8a531de39006ed553c026985a8

SHA256
9d7160ef58def7b3d59ba977f43f25bed23885d2f8a980644576174f6fd0f122

SHA512
6ae998b4bca59760ea17b47ab7614a4c6ec4504a9b6313dc6e49448f6a25dbb33f4dfd30bddad35644155ede3cbb05f6d272e85bb9fa2bd3e9ade71fb04297fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
522f25efd32969507e506b7094d1bbaa

SHA1
54deb2434d3aa59d1ddb4080ffa5d2aa99d73ec8

SHA256
2b40dd9cb4aa77824de4109afec8c6c45d9d597640c8da8f3424cef83ef7d8ec

SHA512
a3956330aa5040e11e692e9e12df31b4249d85154c56d3e8c10e600189e9c354018ac58adf9ecabdd853c4a9c170073d0817c6024bdefa04596438044ce097a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e51f467ce6ca19aff2d50b2faf7e5298

SHA1
b89b6c3fe47f5d69272f65b1803a7d54ea06f5b4

SHA256
0e2b0e2cc59e6fef7c643ac048532459eedda85a62aadec698d6a877681053c8

SHA512
16d54a93c91d62d0dfede0deae915913c6bcaa97549d529a97ed8c1f557d5135143ee8588dfa4071583a011129fb50536321a0ed91442e9f9005529e68c3d7e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2f20e25b24d13898262390ba4f0ee352

SHA1
d7e2b25421132ad7b386aad758765fa903157f58

SHA256
ffd2488cc4de8bf66b1c8cd5158f9deda9242295e789def6ca617ffe101d41e0

SHA512
7d4414ef1db18b8ddb1f3b67e16ad4cc38d0d35815a273ef07682699d9970f74864300d4a8d9c9d054602ad50c4fdacff9991e1ac2291898b42a90d0830fa81b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
e6fd309c80fd6e30798937b696728dde

SHA1
b083a6eccef6c830c37ccc4f0e40c3b8648bf165

SHA256
78178a5545c8229f487cfe1e8ce2c17aeaf45ec0e5645497b32b6fc6603b0d3f

SHA512
8ebba9ac17a05859af835fbf1373c20df12af9f40d29fc47539877264a16efd8a41d1ab24340c8ae276780ea3f06d7f6d8f0dcfad97f43c6d12fa3bb8fb7b4bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
ad41000d4c5dd638c81761e0b9ebc3cc

SHA1
aaf60370a407fe0aa7c497f3ff524117723851b2

SHA256
df4147ca0e0c8c9ce531e71309f04e03ce399ba3675156c3f8003ed11ace6390

SHA512
9b7865e0cde9a3c965b803d5a64a17573d9ea38ad76466e1860fd787fcd38c2dfd1eaf939d6e5d06e91fcbe2853d4f9a3f71ef9938fda0a32f691576eacbda7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5cff76.TMP
Filesize
48B

MD5
a6ea12c3d24cca6293017b50169c1d17

SHA1
4381a4ef761c0953dbf5c2d1bf5de5a08daf65c4

SHA256
3d959632c8d3727b14849d32b4a1af35aefb348021e310993135a22ef51d7af8

SHA512
e1845e430c9c6d8799a900361776c80530c0965c0d72640ee031f4e4451185f220ec51490f25775e07c582bf54d8ee7afa952cf2d03856f8b2ed8f6cdc27c6b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
193KB

MD5
8410ba61cec4ca8f92f67e861e1833a4

SHA1
c5717ab9e0be5b07a2e13d4014e1f70bdf8e2f36

SHA256
2107093a64efdfa80741cc547c78cc7518633c136347006ec1ab6afadaea16c6

SHA512
97996ff95c1ce2a8a6d72add7bfc620c4ffe686658d48e0e24041eabf07a27da94cb2a0f84cc318a0e194f137294c62bb85cf15a9f481f2c36d7b911e23c5ecb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Filesize
28KB

MD5
f61f3493bf0ce6f19da255e9093c7a8e

SHA1
709eca0b7fb8e1ee152902381cbb392ba63724db

SHA256
c1169589ec4fef668d4f9c865eebfcee4f698b0797ded5dac7707b477578d04d

SHA512
0323c703a07ff2812ec8316e170cb6ae90b117bf4294a2da8fea543837160bde320c991eeece1e6f353c2be8d0ff6050f4b65e0a3fa87d5c0495dd5c69313b06

Download Submit
C:\Users\Admin\Desktop\Payment_Receipt\Payment_Receipt.cmd
Filesize
2.4MB

MD5
49da6d69f825c8723f3549d0248921fa

SHA1
a4994443e9441a9315f27d07d46e1c4ad952c146

SHA256
f5960dc9a89da73d8b612e94145ec5664082dad50514071a54e4cc7d8a7820ca

SHA512
0b8c7f0e5aa7146303e354443254761d3cf16a139b3294de366fb0a1f756258307b7eb445e9e8138359e2c30e428afacbd939dd6cc8d61a57cebc78e6047de85

Download Submit
\??\pipe\crashpad_1776_BZXXDDZOBTGXTJWK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit